2022-06-29 11:44:01 +02:00
|
|
|
[Unit]
|
|
|
|
Description=Firewall for Risotto
|
|
|
|
After=network.target
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
2022-07-04 15:44:18 +02:00
|
|
|
RemainAfterExit=yes
|
2022-12-25 17:08:52 +01:00
|
|
|
%set %%has_rules = False
|
2022-06-29 11:44:01 +02:00
|
|
|
%for %%dns in %%machined.machines
|
2022-12-25 17:08:52 +01:00
|
|
|
%set %%machine = %%normalize_family(%%dns)
|
|
|
|
%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
|
2022-06-29 11:44:01 +02:00
|
|
|
%if %%outgoing
|
2022-12-25 17:08:52 +01:00
|
|
|
%set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
|
2022-06-29 11:44:01 +02:00
|
|
|
%for %%port in %%outgoing
|
|
|
|
%if ':' in %%port
|
2022-12-25 17:08:52 +01:00
|
|
|
%set %%protocol, %%port = %%port.split(':')
|
2022-06-29 11:44:01 +02:00
|
|
|
%else
|
2022-12-25 17:08:52 +01:00
|
|
|
%set %%protocol = 'tcp'
|
2022-06-29 11:44:01 +02:00
|
|
|
%end if
|
2022-12-25 17:08:52 +01:00
|
|
|
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
|
|
|
|
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
|
|
|
|
%set %%has_rules = False
|
2022-06-29 11:44:01 +02:00
|
|
|
%end for
|
|
|
|
%end if
|
|
|
|
%end for
|
2022-12-25 17:08:52 +01:00
|
|
|
%if not %%has_rules
|
|
|
|
ExecStart=/usr/bin/echo "No rule"
|
|
|
|
%end if
|
2022-06-29 11:44:01 +02:00
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|